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Adversary Threat Tactics are Changing 


Early 2010s 
Zero-day Vulnerabilities 


(Nation State, Industrial Espionage, Black Market) 


Today 
Rapidly weaponizing newly-disclosed vulnerabilities 
(Good, Fast, Cheap - Pick 3) 


Known Critical Vulnerabilities are Increasing 
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14-16K vulnerabilities are 
disclosed 2017-2019 


30-40% are ranked as "High" „a 
or "Critical" severity i 


Worm-able Vulnerabilities — 
are increasing (WannaCry, " = Lee 
BlueKeep) i == 2005 2006 2007 2008 2009 2010 2051 2012 2013 M m me 


n 


"Mean Time to Weaponize 
is rapidly decreasing 
year/year 


Let's Talk About BlueKeep 


(RDP Vulnerability) 


U.S. Govt Achieves BlueKeep Remote Code Execution, Issues Alert 


By Sergiu Gatlan June 17,2019 (5j 11:13AM E 1 


US company selling weaponized BlueKeep 


An exploit for a vulnerability that Microsoft feared it may trigger the next WannaCry is now being sold commercially. 


2 By Catalin Cimpanu for Zero Day | July 25, 2019 — 09:06 GMT (02:06 PDT) | Topic: Security 


1200 PM BlueKeep Exploits Appear as 
Security Firms Continue to Worry 
About Cyberattack 


The lack of an attack has puzzled some security experts, but the general 
advice remains that companies should patch their vulnerable systems 


more quickly. 
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Just Two Week Windows ‘BlueKeep’ Attack 
Just I WO WeeKS That U.S. Government Warned 
Agc About Is ; Happening Right Now 


Ja. 


Get Proactive - Reduce the Attack Surface 


Oo Immediately discover assets and vulnerabilities 
e Notify IT asset owner to patch / stop the instance 


Change configuration to limit unauthorized 


access 
CSA 


Control network access / cloud security groups 


Add endpoint detection and response 
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Proactively Hunt, Detect, and 
Respond 


Indication of 


Compromise pM Passive Network 


Sensor 


Detect malware, IOCs, IOAs, 

and verify threat intel TE dé devices are on the 
ork? Are ther 

Ru fecal traffic Einen 
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Qualys IOC - Hunt Using Threat 


NotPetya Ransomware spreading using ETERNALBLUE Vulnerability and Credential Stealing 


October 6, 2017 


On June 27, 2017, NCCIC [13] was notified of Petya malware events occurring in multiple countries and 
affecting multiple sectors. This variant of the Petya malware—referred to as NotPetya—encrypts files 


with extensions from a hard-coded list. 


Additionally, if the malware gains administrator rights, it encrypts the master boot record (MBR), making 
the infected Windows computers unusable. NotPetya differs from previous Petya malware primarily in 
its propagation methods using the ETERNALBLUE vulnerability and credential stealing via a modified 
version of Mimikatz. 


Technical Details 


Anti-Virus Coverage 
VirusTotal reports 0/66 anti-virus vendors have signatures for the credential stealer as of the 
date of this report 


Delivery — MD5: 71b6a493388e7d0b40c83ce903bc6b04 
Installation — MDS: 7e37ab34ecdcc3e77e24522ddfd4852d 


Credential Stealer (new) — MD5: d926e76030f19f1f7ef0b3cd1a4e80f9 


Secondary Actions 


NotPetya leverages multiple propagation methods to spread within an infected network. 
According to malware analysis, NotPetya attempts the lateral movement techniques below: 


€ Threat intelligence lists attack 
information ... 


e Search for the file hash here... 
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Indication of Compromise DAS RD HUNTING 


Hunting 


Intel 


Qualys Demo (quays. qd) 


d926e76030f 19f£1f7ef0b3cdla4e80f9 


Last7Days Y 


2 


Total Event- 


NO REMAINING FILTERS 
TIME v OBJECT 


a day ago B svvchost.exe 
58:4 1 “ 


svvchost.exe 


Find the object there. 


ASSET 


mm  WIN2008R2-11566 
s. 
11811 


= WIN7-320860-T44 
10.11.114.109 


Detect Malware Missed by Anti-Virus 


UK Government Contractor Ts 

“Big 4” anti-virus installed one montent co 
- Qualys Agent for Vulnerability Mgmt 
- Added Qualys IOC on existing agents 
- 256 hosts 


Qualys IOC discovered... E s EN aa M 

- Dridex Banking Trojan (51) 

- 4domain controllers infected 

- Backdoors (7) installed due to 
phishing campaigns ee acon 

- Netcat (8) root kits installed 

- 46 PUAs installed 46 


robins3 
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Beyond Endpoint Detection and Response: 
How can | better protect my crown jewels? 


Threat Hunting Assumptions: 


Every user machine can be compromised - it only takes one 

Every Remote Code Execution (RCE) vulnerability can be exploited 
Local Privilege Escalation and Credential Harvesting to move laterally 
System misconfigurations are often overlooked and easy to exploit 
Network segmentation is rarely used internally due to management 
All attacks are not equal: can Adversaries reach my Critical Servers? 
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Adversary Lateral Movements (Attack Paths) 


lower Security Tiers higher 
» 


Tier 0 Systems 


User Segments Business Apps / IT Systems “COW en als? 


Q Find systems in higher 
security tiers by looking for 


CJR existing connections or Cid 
network reconnaissance. 


Laterally move to new system by: 
C] Exploiting open vulnerabilities 
— Take advantage of misconfigurations 
| CJ Use compromised credentials 
Q Bad actor compromises a user 


machine (email, phishing, watering @ isterali ya pew system bu 
pas ate) lof th ki - Exploiting open vulnerabilities 
FAKES ere SRE m np. - Take advantage of misconfigurations 


- Use compromised credentials 
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Finding Attack Paths 


Network Reachability 
Determine connections between hosts using Cloud Agent 
Passive + Active network collection 


Store these connections in a Graph Database for fast query 
+ 


Asset Security Posture 
Remote Code Execution Vulnerabilities @ 
System Misconfigurations 
Malware and Indicators of Activity & 
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Attack Path Discovery 
to 


Prioritize Patching and 
Improve Security Defenses 
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Breach Attack & Simulation ~ DASHBOARD ASSETS NETWORK SCANS CONFIGURATION 207 
EC CE 
Q Search 


v © Group Assets by. w 


IT Mgmt Network E X z SWIFT Payment 


Datacenter 


`. "EO +- 


Corporate Apps 


Network List View 


Q Search Last 7 days v = 


< 
ci "^ 1721620144 

: - 

172.16.201.93.. 57 
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Sd 
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CE Im | 
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172.16.201,13 121620) 00 
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Flex 10 
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172.16.201.93 


"EO + - 


Network List View 


Q Search Last 7 days v = 


< 
ci "^ 1721620144 

: - 
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CE Im | 
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Flex 10 
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Group Assets by. 


Topology 


List View 


72.16 


201.11 


CE 
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tt 


Last 7 days 


ie 
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À Search 
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172.16.201 
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Site 1 


m] 


HMI:MMS 


di 


172.16.201.99 


tt 


Attack Path Discovery 
for 


Proactive Threat Hunting 
and Response Priority 


© Qualys. Enterprise 


Indication of Compromise ~ DASHBOARD INCIDENTS HUNTING ASSETS RULES 


pe 
© 
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Hunting 


| X 5ceec909f3dfc890fddie76d6f3cc093465c9d980d68b9987fc3f5eb289b6bd2 Active View v | = 


675K 1-50 of 675335 í Ç nx 


Total Events 


TIME v OBJECT ASSET SCORE DETAILS 
3 minutes ago F: WindowsAzureTelemetryService.exe -H WIN10PMIOCA = - 
8:35:03 PM C:\WindowsAzure\GuestAgent_2.7.41491.949_2019-1... 13.64.103.58,10.1.1.10 
TYPE 
file 258K 3 minutes ago Pol QualysAgent.exe «a WIN10PMIOCA = 
8:35:03 PM C:\Program Files\Qualys\QualysAgent\QualysAgent.exe 13.64.103.58,10.1.1.10 
mutex 9.84K 
network 19.4K 3 minutes ago # WmiPrvSE.exe gg WIN10PMIOC4 Co 
process 3.99K 8:35:03 PM C:\Windows\System32\wbem\WmiPrvSE.exe 13.64.103.58,10.1.1.10 
registry 384K 
3 minutes ago <> 125.227.22.242 (125-227-22-242.HINET-IP hi... -H EC2AMAZ-Q1M5FIB ü 
EVENT ACTION 8:34:56 PM TCP CONNECTION - ESTABLISHED by svchost.exe 172.31.0.13,13.233.83.82 
created 642K 3 minutes ago Pad 13.82.189.202 : 63733 -H EC2AMAZ-Q1M5FIB ü 
established 4.65K 8:34:56 PM TCP CONNECTION - ESTABLISHED by svchost.exe 172.31.0.13,13.233.83.82 
listening 14.7K 
. m lee e . . = 
iUe 13.8K 3 minutes ago Ped fe80::281b:10bb:53e0:fff2%7 : 546 os EC2AMAZ-Q1M5FIB ü 
8:34:56 PM UDP CONNECTION - LISTENING by svchost.exe 172.31.0.13,13.233.83.82 
SCORE 3 minutes ago 2 64.39.104.103 (qagpublic.qg2.apps.qualys.co... == WIN10PMIOC4 - 
10 14 8:34:49 PM TCP CONNECTION - ESTABLISHED by QualysAgent.exe 13.64.103.58,10.1.1.10 
9 38 
= 191 3 minutes ago Ped 211.247.115.130 : 57533 -H WIN10PMIOC4 ü 
6 4 8:34:44 PM TCP CONNECTION - ESTABLISHED by svchost.exe 13.64.103.58,10.1.1.10 
5 121 3 minutes ago = 185.209.0.22 : 36585 H WIN10PMIOC4 ü 
X 1more 8:34:41 PM TCP CONNECTION - ESTABLISHED by svchost.exe 13.64.103.58,10.1.1.10 
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Indication of Compromise - DASHBOARD INCIDENTS HUNTING ASSETS RULES 


po 
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Hunting 


| >Ç S5ceec909f3dfc890fdd1e76d6f3cc093465c9d980d68b9987fc3f5eb289b6bd2 | Active View v | 


5 1-5of 5 


Total Events 


TIME v OBJECT ASSET SCORE DETAILS 
21 hours ago + 66.85.173.57 (tar.theoutlan.com) : 443 a SHAREPTO003 Trickbot 
12:58:21 AM TCP CONNECTION - ESTABLISHED by temp0291.exe 172.31.0.111 Trojan 
TYPE 
ue = a day ago B temp0291.exe sm SHAREPTO003 a Trickbot 
8:19:31 PM c:\Users\qualys\AppData\Roaming 172.31.0.111 Trojan 
mutex 1 
network 1 a day ago F°: temp0291.exe aa SHAREPT003 Ú Trickbot 
process 1 3:12:28 PM C:\Users\qualys\AppData\Roaming\temp0291.exe 172.31.0.111 Trojan 
EVENT ACTION a day ago e \BaseNamedObjects\4C3D653494D1128 = SHAREPT003 Ú Trickbot 
3:02:08 PM temp0291.exe 172.31.0.111 Trojan 
created 2 
established 1 2 days ago Bl temp0291.exe au SHAREPTO003 aO Trickbot 
running 2 11:18:23 AM c:\Users\qualys\AppData\Roaming 172.31.0.111 Trojan 
SCORE 
10 1 
9 2 
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Group Assets by. 
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Network Topology REA 


À Casier 7] a x 
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z Tags 
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A INFECTIONS (4 Events) 


ci 717236201 Ë 
: Process: temp0294.exe z 


Malware: Trickbot | Risk Score: 9 


172.16:201.88 
172.16.201.70 


File: WormDII64 
Malware: Trickbot | Risk Score: 8 
Ci 
dz ShippinglabelApp HMEMM File: NetworkDII64 : 
NN Malware: Trickbot | Risk Score: 8 : 
= 
HR Sh| a 
172.16.201,13 File: ShareDII64 
` Malware: Trickbot | Risk Score: 8 
` `. 
` 
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` cy 
` 
` 
` 
v Flex 10 
` 
` 
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Network Topology REA 


| Actions w f Dé 


v |° e HR SHAREPOINT 
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A INFECTIONS (4 Events) 


cá 717236201 Ë — 
Process: temp0294.exe Quick Menu m 
Malware: Trickbot | Risk S: 


172.16:201.88 
172.16.201.70 
View Asset Details 


File: WormDIl64 Execute a Response 
Malware: Trickbot | Risk . 
ci Quarantine Host 
dz ShippinglabelApp HMEMM File: NetworkDII64 


Malware: Trickbot | Risk Score: 8 
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Execute a Response 


The following response will be executed for the selected processes and files on the defined hosts. 


Process (1) 


RISK SCORE PROCESS NAME MALWARE HOST 
E temp0291.exe TrickBot SHAREPTO03 


Kill Process Quarantine File 
File Type (3) 
RISK SCORE FILE NAME MALWARE HOST 
WormDII64 (C:\Users\support\AppData\Roaming) TrickBot SHAREPT003 


NetworkDII64 (C:\Users\support\AppData\Roaming) TrickBot SHAREPT003 


ShareDIl64 (C:\Users\support\AppData\Roaming) TrickBot SHAREPT003 


Quarantine File 
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Scale Human Response with 


Find active attacks on endpoint [zz 
using Indication of Compromise 9 [= 
Go beyond endpoint detection with = ron’ 
Security Analytics - correlate user, HE 
network, application, cloud, | 
container p= 
x 

x rs i x x 
Use attack path discovery as |== | ES me [m — 
metadata to detect active attacks | ir 
reaching critical assets SES se = = = 2 co 

Re IHEllill, 
Automate response to protect 


critical assets using response 
| b k (€) Qualys. 
playbooks 
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